safer way to include a PHP file in a webpage?

in my index.php i'm calling all the content like so:

<body>

<?php include("header.php"); ?>

<?php include("content_home.php"); ?>

<?php include("footer.php"); ?>

</body

Code (markup):

Is there a safer way to do this? Thanks.

 

What's wrong with your code?

 

Well it works just fine but I have been told by other coders that my method is not safe

 

how about

$file = file_get_contents("content_home.php");
// Scan for malicious / unallowed code here


// If nothing malicious is found run the code
eval($file);

PHP:

But this example would just being useful if you let someone else add php files on the website.

Not sure why they said it´s unsafe with include() though.. Might be if you don´t check for possible "Local File Inclusion" aka LFI you should google that. Except that there´s nothing wrong with include()

 

Including static files is perfectly safe, just don't include files on a $_GET parameter.

 

There's nothing unsafe about this.

It's unsafe to include($abc) where $abc came from a user. Or to include() a file on a remote server that you do not control. But including a specific known local file is fine.

 

Can anyone tell me how to include php code in tpl files. This normal method above gives error !

 

use the smarty variable {php} {/php}

 

I don't see any reason why that would be unsafe if they are static and your not attaching any variable to the end. You basically always want to scrub any user generated input. Static input is not usually a concern.

 

Yeah as long as content.php, header.php, etc are the same and not allowed to be changed, you should be fine.

However, if they echo stuff that is inputted by the user, you need to sanitize it for XSS attacks.

 

Just an observation: if you want to be strict with resource management, you should use include_once() and you don't need to open and close the PHP tags after each include:

<html>
...

<body>

<?php 

include_once("header.php");
include_once("content_home.php");
include_once("footer.php");

?>

</body>

...
</html>

Code (markup):

 

Bear in mind that include_once() is a lot slower than include().

If you can ensure that it will only be called once, use include(). If you have multiple cross-dependencies, then you are probably stuck using include_once() or rolling your own mechanism which will likely be slower still.

 

it is safe and lots of peoples using this,,,,

it also seems good

 

That will produce huge overhead.

 

That is impossible. People who are doing that are deluding themselves.

There is always one more way to sneak some malicious code through. The only safe approach is never to execute un-trusted code in the first place.

 

Including files which are hosted on your server/hosting space, then theirs no problem since you know you placed it their.

But including remote files (which you don't have access to), could be potentially dangerous, so theirfore always clean the data before executing it.

 

I do not see anything 'unsafe' about this. The code is good and will not produce any security risks.